Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by StellarNomad322

Stack OverflowFrom Stack Overflow

Why does the Microsoft Graph API keep prompting for consent even after tenant admin approval?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

I am developing an integration with Microsoft for my app to fetch Outlook emails using the "Microsoft Graph API". I created an app registration in Azure, and users install the enterprise application from their tenant to use my integration. Everything works for most users, but one tenant has stricter security settings.

I noticed that in this tenant the admin has set the policy for "Configure whether users are allowed to consent for applications to access your organization's data" to "Do not allow user consent". When a user in this tenant requests access, the admin receives the consent request and approves it. However, when the user signs in again, they still encounter the consent screen as if the admin approval had never been applied.

enter image description here

The Azure logs display: "Admin consent is required for the permissions requested by this application. An admin consent request may be sent to the admin." Even though the permissions appear correctly in the tenant and the application is listed in the approved section, the issue persists.

My questions are:

  • What adjustments, if any, are needed in my application registration?

  • Or, what should be changed on the enterprise application side to prevent this repeated consent prompt?

  • Note: The tenant admin tried manually adding the user to the application without success.

  • Removing the "Do not allow user consent" setting resolves the issue, but this workaround is not acceptable for production.

Any guidance on how to achieve seamless tenant-wide admin consent without compromising security policies would be appreciated.

1

Comments 0

Answers 2

Views 78

2 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

Below is a summary of what’s needed when your tenant has disabled user consent:

  1. Require Tenant‑Wide Admin Consent
    When a tenant is configured with "Do not allow user consent," individual users cannot grant consent for delegated permissions even if an admin “approves” a specific consent request. Instead, the tenant administrator must grant consent for the entire tenant. This is done by performing an explicit admin consent flow.

  2. Use the Admin Consent Endpoint
    The tenant administrator needs to sign in to a URL similar to:

    PLAINTEXT
    https://login.microsoftonline.com/<TENANT_ID>/adminconsent?client_id=<APPLICATION_ID>&redirect_uri=<REDIRECT_URI>

    Replace <TENANT_ID>, <APPLICATION_ID>, and <REDIRECT_URI> with your tenant’s ID, your app registration’s client ID, and your app’s registered redirect URL. This process, when successfully completed by the admin, grants consent for all users in the tenant.

  3. Ensure App Registration Has the Correct Permissions
    Double-check that your app registration is configured with the intended delegated (or even application) permissions. Even though permissions might appear in the approved section, if tenant-level consent isn’t granted via the proper admin action, users will continue to be prompted.

  4. Consider the Usage of Application Permissions
    If your scenario allows it, switching to application permissions (with an app-only token) might be an alternative approach. Application permissions are granted at the tenant level and do not require user consent during sign-in. However, these come with different capabilities and security considerations.

  5. User Role Doesn’t Override Tenant Policies
    Note that even if an individual user approves the request, the enforced security policy ("Do not allow user consent") requires that the admin perform the consent action. Manual addition of users to the application won’t bypass this behavior.

In short, instruct your tenant administrator to use the admin consent URL to grant consent tenant-wide. No changes on your app registration are needed aside from ensuring the correct permissions are configured, and you should guide the tenant admin to perform the necessary admin consent process.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by PlanetaryOrbiter602 1 month ago

0

I feel stupid... It was not related to the Azure configuration per say. It was an additional parameter i didn't see in the initialisation of the Authentication on the server.

I was using passeport-microsoft strategy and changing prompt: 'consent' solved the issue :

TYPESCRIPT
authenticate(req: any, options: any) {
    options = {
      ...options,
      accessType: 'offline',
      prompt: 'select_account',  // previsously was 'consent'
      loginHint: req.params.loginHint,
      state: JSON.stringify({
        transientToken: req.params.transientToken,
        redirectLocation: req.params.redirectLocation,
        calendarVisibility: req.params.calendarVisibility,
        messageVisibility: req.params.messageVisibility,
      }),
    };

    return super.authenticate(req, options);
  }

this thread helped me find out

Thanks for your help @Rukmini

No comments yet.

Discussion

No comments yet.

Similar Posts

How can I update subscription details in a PR while its branch is in a read-only merge queue?